Page granular curtained memory via mapping control

ABSTRACT

Methods of providing and limiting access to trusted memory are provided. Trusted memory pages are not mapped with page map pages. When a central processor is operated in a page-mapping mode, access to the trusted memory is limited. In particular, without mapping information, software and hardware modules cannot access and modify the contents of trusted memory sections.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to the field of electronic dataprocessing. More particularly, the invention provides methods anddevices for restricting access to sections of memory modules.

2. Description of the Related Art

Modern computer operating systems are configured to allow users toeasily install hardware and software. One drawback associated with suchopen operating systems that allow users to easily install hardware andsoftware is that such operating systems are inherently untrustworthy.For example, operating systems that allow users to change data stored inkernel memory or system files are vulnerable to attacks by computerviruses. Moreover, operating systems that allow the modification of allof the content stored in a computer's memory can be damaged byimproperly designed or installed software and hardware components.

Another drawback of open operating systems is that they limit thecontent that providers are willing to distribute to computer users. Inparticular, content providers are reluctant to distribute valuableaudio, video or other content to computer devices that allow users toeasily copy and redistribute the content.

Therefore, there exists a need in the art for operating systems andmethods that provide trusted memory sections that are difficult orimpossible to modify with computer virus, drivers or other hardware orsoftware components. Moreover there exists a need in the art foroperating systems and methods that provide application programs, storedin trusted memory, that limit a user's ability to copy and redistributecontent.

BRIEF SUMMARY OF THE INVENTION

The present invention overcomes one or more of the limitations of theprior art by providing methods, systems and computer-executablecomponents for controlling access to memory by controlling values thatappear in page map pages. A computer operating system may be configuredto operate in a page-mapping mode with trusted memory sections notmapped by page map pages. Without mapping information, software andhardware modules cannot access and modify the contents of trusted memorysections. Page map pages may be configured to be read-only. An attemptto edit a read-only page may be intercepted and filtered with a PTE editmodule. The PTE-edit module allows modifications that maintain thetrusted memory section. The PTE edit module also ensures that the pagetables themselves are only mapped read-only, so that the PTE-module isinvoked when the operating system or an adversary attempts to modify themappings.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 is a block diagram of a general-purpose computer system capableof being used in conjunction with the present invention;

FIG. 2 illustrates a memory module partitioned into trusted andnon-trusted sections in accordance with an embodiment of the invention;

FIG. 3 illustrates the mapping of a virtual address to a correspondingphysical memory page;

FIG. 4 illustrates a method of storing data in accordance with anembodiment of the invention;

FIG. 5 illustrates a method of controlling access to trusted memorypages in accordance with an embodiment of the invention; and

FIG. 6 illustrates a hardware configuration that may be implemented tolimit direct memory access to memory modules.

DETAILED DESCRIPTION OF THE INVENTION

Aspects of the present invention may be implemented with computerdevices that have trusted memory sections implemented by page-tables orsimilar mapping constructs. Such computer devices may include personalcomputers, personal digital assistants, hand-held devices,multiprocessor systems, microprocessor-based or programmable consumerelectronics, network PCS, minicomputers, mainframe computers, and thelike. The operating systems of the computer devices may be configured tolimit access and modification of page map pages to provide trustedmemory sections.

Although not required, the invention will be described in the generalcontext of computer-executable instructions, such as program modules,that are executed by computer devices. Generally, program modulesinclude routines, programs, objects, components, data structures, etc.,that perform particular tasks or implement particular abstract datatypes. In distributed computing systems, tasks may be performed byremote computer devices that are linked through a communicationsnetwork. In a distributed computing environment, program modules may belocated in both local and remote memory storage devices.

FIG. 1 is a schematic diagram of a conventional general-purpose digitalcomputing environment that can be used to implement various aspects ofthe invention. Computer 100 includes a processing unit 110, a systemmemory 120 and a system bus 130 that couples various system componentsincluding the system memory to the processing unit 110. System bus 130may be any of several types of bus structures including a memory bus ormemory controller, a peripheral bus, and a local bus using any of avariety of bus architectures. System memory 120 includes a read onlymemory (ROM) 140 and a random access memory (RAM) 150.

A basic input/output system (BIOS) 160 containing the basic routinesthat help to transfer information between elements within the computer100, such as during start-up, is stored in ROM 140. Computer 100 alsoincludes a hard disk drive 170 for reading from and writing to a harddisk (not shown), a magnetic disk drive 180 for reading from or writingto a removable magnetic disk 190, and an optical disk drive 191 forreading from or writing to a removable optical disk 192, such as a CDROM or other optical media. Hard disk drive 170, magnetic disk drive180, and optical disk drive 191 are respectively connected to the systembus 130 by a hard disk drive interface 192, a magnetic disk driveinterface 193, and an optical disk drive interface 194. The drives andtheir associated computer-readable media provide nonvolatile storage ofcomputer readable instructions, data structures, program modules andother data for personal computer 100. It will be appreciated by thoseskilled in the art that other types of computer readable media which canstore data that is accessible by a computer, such as magnetic cassettes,flash memory cards, digital video disks, Bernoulli cartridges, randomaccess memories (RAMs), read only memories (ROMs), and the like, mayalso be used in the exemplary operating environment.

A number of program modules can be stored on the hard disk, magneticdisk 190, optical disk 192, ROM 140 or RAM 150, including an operatingsystem 195, one or more application programs 196, other program modules197, and program data 198. A user can enter commands and informationinto computer 100 through input devices, such as a keyboard 101 and apointing device 102. Other input devices (not shown) may include amicrophone, joystick, game pad, satellite dish, scanner, or the like.These and other input devices are often connected to the processing unit110 through a serial port interface 106 that is coupled to the systembus, but may be connected by other interfaces, such as a parallel port,a game port, a universal serial bus (USB) or through a PCI board. Amonitor 107 or other type of display device is also connected to systembus 130 via an interface, such as a video adapter 108. In addition tothe monitor, personal computers typically include other peripheraloutput devices (not shown), such as speakers and printers.

Computer 100 can operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computer109. Remote computer 109 can be a server, a router, a network PC, a peerdevice or other common network node, and typically includes many or allof the elements described above relative to computer 100, although onlya memory storage device 111 has been illustrated in FIG. 1. The logicalconnections depicted in FIG. 1 include a local area network (LAN) 112and a wide area network (WAN) 113. Such networking environments arecommonplace in offices, enterprise-wide computer networks, intranets andthe Internet.

When used in a LAN networking environment, computer 100 is connected tolocal network 112 through a network interface or adapter 114. When usedin a WAN networking environment, personal computer 100 typicallyincludes a modem 115 or other means for establishing communications overwide area network 113, such as the Internet. Modem 115, which may beinternal or external, is connected to system bus 130 via serial portinterface 106. In a networked environment, program modules depictedrelative to personal computer 100, or portions thereof, may be stored inthe remote memory storage device.

It will be appreciated that the network connections shown are exemplaryand other ways of establishing a communications link between thecomputers can be used. The existence of any of various well-knownprotocols, such as TCP/IP, Ethernet, FTP, HTTP and the like, ispresumed, and the system can be operated in a client-serverconfiguration to permit a user to retrieve web pages from a web-basedserver. Any of various conventional web browsers can be used to displayand manipulate data on web pages.

FIG. 2 illustrates a memory module 200 partitioned in accordance with anembodiment of the invention. Memory module 200 is divided into a trustedsection 202 and a non-trusted section 204. Memory module 200 is alsodivided into a user mode memory section and a kernel mode memorysection. Page directory pages 206 and page table pages 208 may be storedin a read only section of non-trusted user mode memory. Page directorypages 206 and page table pages 208 may be used to map a virtual addressto a physical memory page in the manner described below. One skilled inthe art will appreciate that the present invention is not limited toembodiments that include both page directory pages and page table pages.As used herein, a “page map page” may include a page directory page, apage table page or any other data structure used to map a virtualaddress to a physical memory page.

The trusted user mode section of memory 200 may contain trusted applets210. In one aspect of the invention, trusted applets 210 include programmodules for presenting audio, visual or other content to users. Trustedapplets 210 may be configured to limit the user's ability to distributeand/or copy the delivered content. One or more trusted applets 210 maybe executed when a user of the computer device views or otherwiseutilizes content that a content owner has configured to operate with thetrusted applets. For example, a trusted applet may be a media player oran e-commerce application. In fact, trusted applets have a vast array ofuses, basically any time one party wants to have confidence in what adifferent party did or not do with some data, be media, a document etc.They also allow for the enforcement of distributed rules systems.

An operating system 212 is stored in the kernel mode memory section ofmemory 200. Operating system 212 is divided into a main operating system214 stored in non-trusted kernel mode memory and a nub operating system216 stored in trusted kernel mode memory. Main operating system 214 maybe configured to control the operation of software and hardwarecomponents in a conventional manner. Main operating system 214 hasaccess to content stored in non-trusted memory section 202, but not tothe trusted memory, 204. Nub operating system 216 may be a fullyfeatured operating system, supporting memory, processes, threads, IO,and other common OS services, or may be a trusted security kernelproviding a minimum set of services necessary to host simpleapplications or “trusted agents,” and using main operating system 214and its devices and drivers for all non-security sensitive actions. Nuboperating system 216 may access content stored in non-trusted memorysection 202 and trusted memory section 204. In one implementation, nuboperating system 216 can be started and stopped and be invoked severaldifferent times. For example, nub operating system 216 could be startedas part of a boot operation, unloaded, and then started again to doongoing restricted-access work.

Nub operating system 216 provides mechanisms to establish and maintainits security environment. Initial establishment of a securityenvironment may utilize hardware assistance. The hardware may ensurethat nub operating system 216 initialization code executes to completionwithout possible subversion by prior code executing on the machine,other processes, or other devices that have been programmed by anadversary.

Nub operating system 216 may include nub initialization code. Nubinitialization code may use the platform security features to protectitself from potentially adversarial behavior of the main operatingsystem, its devices, drivers, or applications. This may includeconfiguring the chipset to deny DMA writes to any protected memory, andperforming certain actions before transferring control back to the mainoperating system. Part of these actions may be to validate the page-mapof the processor that will run when main operating system 214 is nextscheduled to run.

Nub operating system 216 may also perform many conventional operatingsystem functions. This may include establishing exception-handlers toprocess externally generated interrupts, and internally generatedexceptions. Nub operating system 216 may also provide services toconstruct threads and processes, usually following instructions frommain operating system 214. Moreover, nub operating system 216 mayprovide processes with a more trusted address space than a conventionaloperating system. For example, nub operating system 216 may beconfigured to not be debuggable by adversarial code. Cryptographicservices may be provided by nub operating system 216 to its processesthat allow nub operating system processes to keep secrets fromadversarial code, and authenticate itself to remote parties.

In one embodiment of the invention, following nub operating system 216initialization, the processor can switch backwards and forwards betweennormal and protected mode under the control of software. Nub operatingsystem 216 can at any time relinquish trusted mode by issuing a suitableprocessor instruction. Typically, nub operating system 216 will save anyregister or other state that is considered sensitive to protected memorybefore initiating such a transition.

Similarly, in one embodiment, any suitably privileged code running inmain operating system 214 can initiate a context switch into trustedmode; however, the platform will ensure that execution of nub operatingsystem 216 always begins at a code location (or one of the codelocations) of the choosing of nub operating system 216, and may ensurethat no prior execution state, beyond that passed explicitly orimplicitly as parameters, can effect the execution of nub operatingsystem 216.

One skilled in the art will appreciate that additional software modulesmay also be stored in user mode memory and kernel mode memory. Forexample, drivers 218 may be stored in non-trusted kernel mode memory. Apage table entry edit module 220 is stored in trusted kernel mode memoryto control edits to page map pages. Page table entry edit module 220 mayvalidate, add to and modify entries in page directory pages 206 and pagetable pages 208 when the computer device is operated in a trusted mode.In one implementation, a single page table entry edit module 220 mayprovide more than one trusted memory section to allow more than one nuboperating system 216 to run at a time.

FIG. 3 illustrates the mapping of a virtual address 302 to acorresponding physical memory page 304. The conventional mapping ofvirtual addresses to physical memory pages is described in detail inmany publicly available CPU manuals. The mapping uses a page directorypage 306 and page table pages 308 a-308 c to locate page 304 of physicalmemory 310. Virtual address 302 includes a page directory offset value302 a, a page table offset value 302 b and a memory offset value 302 c.Page directory offset value 302 a points to an entry in page directorypage 306. The entry in page directory page 306 points to page table page308 b. Page table offset 302 c points to a specific entry in page tablepage 308. Page table page 308 b points to a physical memory page 310.Memory offset 302 c points to page 304 within physical memory 310.

When an operating system is operated in a page-mapping mode, a softwareor hardware component must utilize page map pages, such as pagedirectory 306 and/or page tables 308 a-308 c, to locate pages ofphysical memory 310. Memory 310 includes trusted sections 312, 314, 316and 318, each marked with an asterisk for illustration purposes. Pagedirectory page 306 and page table pages 308 a-308 b do not containentries pointing to trusted memory sections 312, 314, 316 and 318.Therefore, hardware and software modules cannot utilize page directory306 and/or page tables 308 a-308 c to locate and modify the contents oftrusted memory pages.

Page directory page 306 and page table pages 308 a-308 c may beconfigured to prevent mapping of trusted memory sections 312, 314, 316and 318 by storing the content of page directory page 306 and page tablepages 308 a-308 c in read-only format when the computer device isoperating in a non-trusted mode. An unauthorized attempt to write datamay result in the declaration of an error or fault condition. In oneimplementation, when such a fault-condition occurs, the processor orsoftware must initiate a context switch into PTE-edit control module 220running in trusted mode where the edit or addition is examined byPTE-edit control module 220, and allowed, disallowed (resulting in anunrecoverable error condition), or modified. Edits and additions to pagedirectory 306 and page tables 308 a-308 c are controlled by PTE-editcontrol module 220 stored in trusted memory section 204. As a result,edits and additions to page directory 306 and page tables 308 a-308 ccan only be made when the computer device is operated in a trusted mode.

The precise behavior of PTE-edit control module 220 may depend on thecharacteristics of the physical page that is being mapped or beingremoved from the map. In the case that the properties of the page arebeing modified (for example, if a page is being switched from read-writeto read-only) PTE-edit control module 220 may be configured to behavedifferently depending on the characteristics of the physical page beingreferenced. A page map page vector 320 (PMV) indicates whether or notmemory pages are page map pages (page directories, page tables, or otherpaging structures for more complicated mapping architectures). As usedherein, a “vector” is a representation of “sets”, and may be implementedwith a bit vector, list of integers, list of addresses, or any otherarbitrary representation of a set. A bit value of 1 may indicate that apage is a page map page. Page map vector 320 may be large enough tocontain a bit value for every memory page and may be used by software orhardware to identify and limit access to page map pages, or be used byPTE-edit control module 220 to determine its actions in response to pageedit-requests by main operating system 214.

A subset of page map vector 320 is those pages that are allowed aspage-map roots. Page map roots are often called page directories. A rootpage vector, or RPV indicates these pages. In one aspect of theinvention, pages identified as allowed root-pages are always included inpage map page vector 320. PTE-edit control module 220 may arrange thatall mappings to pages in page map page vector 320 are read-only whenaccessed by main operating system 214 or its applications. A read-onlymapping ensures that untrusted code cannot directly change mapping datawithout the actions being validated, filtered, or modified, by PTE-editcontrol module 220.

A trusted page vector 322 may store access values indicating whether ornot memory pages are trusted or restricted. For example, a bit value of1 may indicate that a memory page is trusted and a bit value of 0 mayindicate that a memory page is non-trusted. A trusted page isinaccessible if the processor is not in trusted mode. Nub operatingsystem 216 may identify memory that is for its exclusive use withmembership in trusted page vector 322. In one embodiment, PTE-editcontrol module 220 marks all pages that contain the PTE-EC data tablesas members of trusted page vector 322. Trusted page vector 322 may alsocover itself, i.e., contain an access value indicating that trusted pagevector 322 is trusted.

FIG. 4 illustrates a method of storing data in accordance with anembodiment of the invention. First, in step 402, data is stored in amemory page. The memory page may be physical memory page 310 shown inFIG. 3. Next, in step 404, it is determined whether the data is trusteddata. Data may be identified as trusted data by nub operating system216. When the data is not trusted data, in step 406, the physical memorypage is mapped with at least one page map page stored in non-trustedmemory. Next, in step 408 the at least one page map page is identifiedas trusted in trusted page vector 320. When the data is identified astrusted data, in step 410, the physical memory page is mapped with atleast one page map page stored in trusted memory, such as trusted pages222 shown in FIG. 2. Next, in step 412, the physical memory page isidentified as trusted in a trusted page vector. If the data isidentified as protected by nub operating system 216, there exists nomapping that can be used by the main operating system to this data page.PTE-edit control module 220 may ensure that there is never a read orwrite mapping to the trusted page that can be used by main operatingsystem 214. In one embodiment of the invention, nub operating system 216has its own mappings exclusively for nub operating system 216, and forthe trusted processes that nub operating system 216 hosts.

FIG. 5 illustrates a method of controlling access to trusted memorypages in accordance with an embodiment of the invention. First, in step502, a processor is configured to operate in a page-mapping mode. Whilein the page-mapping mode, access to memory will be limited bycontrolling entries that will be included in the page map pages. In“multi-mode” machines (e.g. the ×86) the machine may be locked into onemode that works with nub operating system 216. For example, on a 64 bit×86 machine, the machine may be locked into 64 bit mode. Or, the machinemay be locked into 16 bit segment map mode and a segment map editcontrol nub operating system may be utilized. In step 504, it isdetermined whether or not there is an attempt to change the mode ofoperation of the processor to a mode in which the protections affordedby the page-mapping are bypassed. In particular, it may be determinedwhether or not there is an attempt to change the processor out ofpage-mapping or segment-mapping mode. When there is an attempt to changethe mode of the processor, in step 506 a security violation is declared.Next, in step 508, the security violation causes a context switch intonub operating system 216 for further processing. One skilled in the artwill appreciate that a security violation does not have to cause acontext switch into nub operating system 216. For example, a write to aread-only page or the load of cr3 can just fault normally to some normalspace fault handler, so long as the write or cr3 load does not actuallyoccur. In one aspect of the invention, when a security violation isdeclared, nub operating system 216 treats the action as adversarial, orpotentially adversarial, and clears all data from protected pages, andcause a blue screen or other audio or visual signal indicating a fatalerror to be presented to the user.

When there is no attempt to change the mode of the processor, in step510 it is determined whether or not there has been an attempt to map atrusted memory page. An attempt to map a trusted memory page willnecessitate adding page map page entries that point to a trusted memorypage. Since the page tables are maintained read-only by PTE-edit controlmodule 220, the edits necessary to map a new page result in a “write toread-only page” fault by the main processor. When such actions occur,the main processor or main operating system 214 may transfer control toPTE-edit control module 220, which will examine the attempted write andallow it, modify it, or disallow it, based on the knowledge of thetarget page derived from its membership in trusted page vector 322, pagemap page vector 320 or the root page vector. If the target page is amember of trusted page vector 322, then the PTE-EC module may treat thisaction as adversarial, and clean all private state, and abort. PTE-editcontrol module 220 should edit the target page table entry to ensurethat the mapping is read-only. This action ensures that all furtherattempts by the main OS to edit page tables always result in a “write toread-only page” fault, and ensures the continued integrity of theprotection mappings.

If the target page is a normal page (not a member of trusted page vector322 or the root page vector) then the write should be allowed withoutmodification. In one embodiment, if the target page is not a member oftrusted page vector 322, then PTE-edit control module 220 takes noaction, but schedules main operating system 214 to handle the fault(this case indicates other uses for read-only pages).

PTE-edit control module 220 may also be invoked on writes to page tablesthat are made by main operating system 214 with the purpose of removingpages from the page map. These actions will not affect the integrity ofthe system and so can be allowed. However, PTE-edit control module 220may include computer executable instructions to examine these actions inorder to maintain the correctness of page map page vector 320. Forexample, an edit to a page directory that removes a link to a page tablemay indicate that the target page can be removed from trusted pagevector 322, if there are no other links to this particular page.

PTE-edit control module 220 may also be invoked whenever a new page mapis loaded by the processor. The first time a particular page map isused, PTE-edit control module 220 may recursively descend the pagedirectory, and page tables to ensure that all mappings maintain thenecessary invariant. To perform this, PTE-edit control module 220 mayensure that there is no mapping to a trusted page. If there is, then themapping may be treated as a fatal error. If the page map providesread-write mappings to any page in page map page vector 320, then themapping is made read-only. The pages that comprise the page map areadded to trusted page vector 322. Furthermore, DMA exclusion vector 610may be updated to protect the new pages added to trusted page vector322. Finally, the page directory is added to the root page vector. Oncethese actions have been performed, main operating system 214 can bere-scheduled using the new page map.

In normal operation, processes are re-scheduled frequently. Once a pagemap has been checked according to the procedures just described and theroot page has been added to the root page vector, subsequent attempts toload this page-map can occur without further checking. PTE-edit controlmodule 220 may also be notified whenever a page map is no longer in use.This will typically be a consequence of a process being destroyed. Whenthis happens, PTE-edit control module 220 recursively removes all pagetables from trusted page vector 322 and the root from DMA exclusionvector 610.

PTE-edit control module 220 may also be invoked to add pages to thetrusted page set, or remove pages from the trusted page set. Theseactions may be performed at the behest of the main operating system 214or nub operating system 216. If a page is removed from the trusted pageset, nub operating system 216 ensures that the page is actually a memberof trusted page vector 322, clear it of any private data, and remove itfrom the trusted page vector 322 and a DMA exclusion vector 610 (shownin FIG. 6 and described below). If a page is added to the trusted pageset, nub operating system 216 ensures that the page is not a member oftrusted page vector 322 or page map page vector 320 and then adds it totrusted page vector 322 and DMA exclusion vector 610. Next, in step 512it is determined whether there has been an attempt to write to aread-only memory in a page map page. Step 512 may include comparing theidentification of a memory page to the values included in page map pagevector 320. When there has been such an attempt, in step 506 a securityviolation is declared. Steps 504, 510 and 512 may be repeated severaltimes to ensure that the integrity of the trusted memory has beenmaintained. One skilled in the art will appreciate that aspects of thepresent invention will work with any virtual-to-physical mapping schemethat utilize mapping all addresses through some mapping table.

Typical memory architectures allow other devices direct access to systemmemory. Such facilities are used by IO devices to perform data transfersto and from main memory. Many computer architectures allow IO devices tobypass the memory protections and rules provided by the virtual memorysystem, and hence read and write arbitrary physical memory. In oneaspect of the invention, to prevent adversarial code from arbitrarymodifications of trusted system memory, or the page tables, the memorycontroller or other hardware may be able to restrict access to certainpages of physical memory under the control of PTE-edit control module220. A chipset of a memory subsystem is instructed which pages should beinaccessible to devices by setting bits in a DMA exclusion vector. If aparticular page is marked as protected in the DMA exclusion vector, thenno IO device can read or write to the indicated page. The DMA exclusionvector may be under the programmatic control of PTE-edit control module220. PTE-edit control module 220 may protect members of trusted pagevector 322 by setting appropriate bits in the DMA exclusion vector.Alternative embodiments may differentiate read from write access, andyet others may protect pages on a device-by-device basis (allowingcertain privileged devices access to certain otherwise protected pages).Of course, PTE-edit control module 220 may also examine all attemptedread and write operations to system and respond accordingly.

FIG. 6 illustrates a hardware configuration that may be implemented tolimit direct memory access (DMA) to memory modules. In FIG. 6, a DMAchipset 602 is coupled between a central processor unit 604 and a memorymodule 606. DMA chipset 602 includes a restriction module 608 that isconfigured to analyze DMA requests and read data stored in a DMAexclusion vector 610. DMA exclusion vector 610 includes access valuesindicating whether or not physical memory pages of memory 606 aretrusted or non-trusted pages. For example, a bit value of 1 may indicatethat a given physical memory page is trusted and a bit value of 0 mayindicate that the physical memory page is non-trusted.

DMA chipset 602 may be coupled to one or more ports 612, each of whichmay be coupled to one or more physical devices that have bus masteraccess. When a device coupled to one of ports 612 attempts to read datafrom or write data to a memory page of memory 606, restriction module608 retrieves access values from DMA exclusion vector 610 and determineswhether the device is authorized to read data from or write data to thememory page. When the access value allows for the reading and writing ofdata to the memory page, the device operates in a conventional manner.However, when the access value in DMA exclusion vector 610 identifiesthe physical page as trusted, an error condition is declared.

There are several implementations of aspects of the invention that canpreserve trust in low power and power loss states. In oneimplementation, any time a trust state is lost due to a power conditionor other cause, the system memory is scrubbed or reset. For example, ifa suspend power state causes the chipset to lose track of DMA exclusionvector 610, on power up, the system memory may be scrubbed. If thehardware is able to keep DMA exclusion vector 610, it may scrub onlythose pages for which DMA exclusion vector 610 has true entries.Alternatively, if the hardware cannot keep track of DMA exclusion vector610, it may scrub all of the system memory.

The present invention allows for a wide range of hardware optimization.For example, the root page vector may be used to decide which cr3 loadsshould fault or not and hardware knowledge of the root page vector, pagemap page vector 320, trusted page vector 322 and DMA exclusion vector610 to decide, in the hardware, which page map edits are legal or not,and let the legal ones occur without recourse to nub operating system216. Nub operating system 216 may be notified of edits that link orunlink a page map page and edits that map or unmap a page. The presentinvention has been described herein with reference to specific exemplaryembodiments thereof. It will be apparent to those skilled in the art,that a person understanding this invention may conceive of changes orother embodiments or variations, which utilize the principles of thisinvention without departing from the broader spirit and scope of theinvention as set forth in the appended claims. All are considered withinthe sphere, spirit, and scope of the invention. The specification anddrawings are, therefore, to be regarded in an illustrative rather thanrestrictive sense. Accordingly, it is not intended that the invention belimited except as may be necessary in view of the appended claims. Forexample, the present invention can be implemented using a single imagemulti-processor version of nub operating system 216, usingmulti-processor synchronization algorithms that are similar to what isused for multi-processor tlb shoot-down.

1. A method of restricting access to memory, the method comprising:storing data in a memory location; determining whether the data istrusted or non-trusted data; if the data is non-trusted data, thenmapping the memory location with at least one page map stored in anon-trusted memory section; and if the data is trusted data, thenmapping the memory location with said at least one page map that isstored in a trusted memory section, there being no page map that isstored in any non-trusted memory section that leads to said memorylocation when said memory location contains trusted data.
 2. The methodof claim 1, further comprising: configuring a processor that controlsaccess to the at least one page map page to run in a page-mapping mode.3. The method of claim 2, further comprising: declaring a securityviolation when the processor changes from the page-mapping mode.
 4. Themethod of claim 2, further comprising: declaring a security violationwhen the processor changes to another page-mapping mode.
 5. The methodof claim 1, further comprising: configuring a processor that controlsaccess to the at least one page map page to run in a segment-mappingmode.
 6. The method of claim 5, further comprising: declaring a securityviolation when the processor changes from the segment-mapping mode. 7-9.(canceled)
 10. The method of claim 1 wherein the data is trusted datastored in a physical memory page and further comprising: identifying thephysical memory page as trusted memory in a trusted page vector; andpreventing a direct memory access device from accessing any page that isidentified in said trusted page vector as being a trusted page.
 11. Acomputer-readable medium contain computer-executable instructions forcausing a computer device to perform the steps comprising: storing datain a memory location; determining whether the data is trusted ornon-trusted data; if the data is non-trusted data, then mapping thememory location with at least one page map page stored in a non-trustedmemory section; and if the data is trusted data, then mapping the memorylocation with said at least one page map that is stored in a trustedmemory section, there being no page map that is stored in anynon-trusted memory section that leads to said memory location when saidmemory location contains trusted data.
 12. The computer-readable mediumof claim 11, further including computer-executable instructions forcausing the computer device to perform the step comprising: configuringa processor that controls access to the at least one page map page torun in a page-mapping mode.
 13. The computer-readable medium of claim12, further including computer-executable instructions for causing thecomputer device to perform the step comprising: declaring a securityviolation when the processor changes from the page-mapping mode.
 14. Thecomputer-readable medium of claim 12, further includingcomputer-executable instructions for causing the computer device toperform the step comprising: declaring a security violation when theprocessor changes to another page-mapping mode. 15-16. (canceled) 17.The computer-readable medium of claim 12, further includingcomputer-executable instructions for causing the computer device toperform the step comprising: identifying the physical memory page astrusted memory in a trusted page vector when the data is trusted data;and preventing a direct memory access device from accessing any pagethat is identified in said trusted page vector as being a trusted page.18. A device for restricting direct memory access to a first memory, thedevice coupled to a central processing unit and comprising: a secondmemory containing a direct memory access exclusion vector containingaccess values that identify physical memory pages that do not allowdirect memory access; a restriction module coupled to the centralprocessing unit, the first memory and the second memory, the restrictionmodule configured to perform the steps comprising: receiving anidentification of a physical memory page in the first memory; comparingthe identification to an access value for the physical memory page inthe direct memory access exclusion vector; and allowing direct memoryaccess to the physical memory page, by a direct memory access devicethat accesses memory using a physical address and without using avirtual address, only when the access value allows direct memory access.19. The device of claim 18, wherein the first memory and the secondmemory are implemented in the same memory module.
 20. The device ofclaim 19, wherein the identification of the physical memory page isreceived from a peripheral device having bus master access.
 21. Thedevice of claim 18, further including: a third memory that contains atleast one page map page mapping only physical memory pages that areidentified as non-trusted.
 22. A computer device configured to limitaccess to memory, the computer device comprising: a central processorunit configured to operate in a trusted mode and a non-trusted mode; afirst memory portion containing memory pages; and a second memoryportion containing at least one non-trusted page map page that only mapsthe physical memory pages that are identified as non-trusted, therebeing a set of pages that are designated for the storage of trusteddata, and there not being any page map stored in memory pages that arenot designated for the storage of trusted data that leads to said pagesthat are designated for the storage of trusted data.
 23. The computerdevice of claim 20, wherein the central processor unit is operated in apage-mapping mode.
 24. The method of claim 1, wherein there are aplurality of page maps and a register that identifies one of theplurality of page maps as being the page map that is currently used totranslate virtual addresses by said register's containing the address ofthe page directly of said one of said plurality of page maps, therebeing a root page vector that identifies address of page directories forone or more page maps that are allowed to be used for translation ofvirtual addresses, and wherein the method further comprises: if anattempt is made to load an address into said register that is notidentified in said root page vector as being the address of a pagedirectory for a page map that is allowed to be used for translation ofaddresses, then performing at least one of: causing a new page map to beevaluated; taking an action that leads to said new page map beingevaluated; and preventing the attempted address from being loaded intosaid register.
 25. The method of claim 1, wherein said page mapcomprises one or more page tables and a page directory that points tosaid one or more page tables, and wherein the method further comprises:evaluating an attempt to edit said page directory to ensure that anychange effected by the editing of said page directory will not result ina valid, present link to a page table that would result in violation ofa barrier between trusted and non-trusted data.
 26. Thecomputer-readable medium of claim 11, wherein there are a plurality ofpage maps and a register that identifies one of the plurality of pagemaps as being the page map that is currently used to translate virtualaddresses by said register's containing the address of the page directlyof said one of said plurality of page maps, there being a root pagevector that identifies address of page directories for one or more pagemaps that are allowed to be used for translation of virtual addresses,and wherein the steps further comprise: if an attempt is made to load anaddress into said register that is not identified in said root pagevector as being the address of a page directory for a page map that isallowed to be used for translation of addresses, then performing atleast one of: causing a new page map to be evaluated; taking an actionthat leads to said new page map being evaluated; and preventing theattempted address from being loaded into said register.
 27. Thecomputer-readable medium of claim 11, wherein said page map comprisesone or more page tables and a page directory that points to said one ormore page tables, and wherein the steps further comprise: evaluating anattempt to edit said page directory to ensure that any change effectedby the editing of said page directory will not result in a valid,present link to a page table that would result in violation of a barrierbetween trusted and non-trusted data.